Issue #5766: "ipa" command does not recognize KRB5_CLIENT_KTNAME - freeipa

freeipa

#5766 "ipa" command does not recognize KRB5_CLIENT_KTNAME

Closed: worksforme 5 years ago by rcritten. Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1318345

Description of problem:
"ipa" command does not recognize KRB5_CLIENT_KTNAME, there for is required to
issue a kinit of appropriate keytab before issuing "ipa" in any automated
scripting.

Version-Release number of selected component (if applicable):
pa-admintools-4.2.0-15.el7_2.6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. set KRB5_CLIENT_KTNAME
2. run "ipa user-list"
3. fail

Actual results:
Failure if no ccache already exists

Expected results:
ipa should recognize KRB5_CLIENT_KTNAME and initialize ccache appropriately.

pvoborni commented 7 years ago

This ticket is out of scope of 4.4.0 release. Moving to 4.4.1. Note that 4.4.1 needs to be triaged, therefore not everything will be implemented.

pvoborni commented 7 years ago

moving out tickets not implemented in 4.4.1

4.4.2 is a stabilization milestone. If this bug is important stabilization bug then please put it to NEEDS TRIAGE milestone for retriage.

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

cheimes commented 5 years ago

I cannot reproduce the issue any more. Initialization from a keytab with KRB5_CLIENT_KTNAME works fine for me. Please make sure that the file is readable but the current user. KRB5 doesn't print an error when it doesn't have permission to read the keytab file.

RHEL 7

# kdestroy -A
# ipa ping
ipa: ERROR: did not receive Kerberos credentials
# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa ping
-------------------------------------------
IPA server version 4.5.4. API version 2.228
-------------------------------------------
# klist -A
Ticket cache: KEYRING:persistent:0:krb_ccache_1m3ZllU
Default principal: host/master.ipa.example@IPA.EXAMPLE

Valid starting       Expires              Service principal
2018-04-30 11:30:10  2018-05-01 11:30:10  HTTP/master.ipa.example@IPA.EXAMPLE
2018-04-30 11:30:10  2018-05-01 11:30:10  krbtgt/IPA.EXAMPLE@IPA.EXAMPLE

user without permission to read keytab

$ KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa ping
ipa: ERROR: did not receive Kerberos credentials

master

# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa ping
------------------------------------------------------------------------------
IPA server version 4.6.90.pre1.dev201804291746+git73c3495db. API version 2.229
------------------------------------------------------------------------------

Edited 5 years ago by cheimes

Metadata Update from @cheimes:
- Issue close_status updated to: None

5 years ago

rcritten commented 5 years ago

Closing worksforme per the last comment

Metadata Update from @rcritten:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

low

Milestone

FreeIPA 4.5 backlog

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

CLI

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1318345

tester

None

changelog

None

design

None

freeipa

Source Code

#5766 "ipa" command does not recognize KRB5_CLIENT_KTNAME Closed: worksforme 5 years ago by rcritten. Opened 8 years ago by pvoborni.

RHEL 7

user without permission to read keytab

master

Metadata

#5766 "ipa" command does not recognize KRB5_CLIENT_KTNAME

Closed: worksforme 5 years ago by rcritten. Opened 8 years ago by pvoborni.